 Analysing risk trends and how to predict the likelihood of occurrence

 Diversifying risk management strategies to prepare for eventuality

Incorporating flexibility in risk management frameworks, adapting to evolving risks and taking interconnectedness into account. There is a lot going on here and each bullet point alone could consume pages of contemplative writing but to stay in line with the topic of ‘interconnectedness’ let’s drive out some important deliberations on this subject matter.

The ability of risk managers to appreciate Interconnectedness in their risk assessment work is perhaps one of the top ten key reasons why a risk management response strategy will be successful or not and we are seeing ever-increasing evidence today that specific risks may be interrelated in more ways than perhaps we imagined some decades ago. The global economy is certainly Supply Chain ‘interlinked’ on one level and on another, fuelled by an autonomous integrated media network that rapidly dissimilates opinion across stakeholder communities that may result in diverse outcomes.

These interconnections can be interpreted as information layers and risk managers need to have an epistemic understanding of how specific relationships fuel outcomes if they have any hope in improving risk management oversight.

Crisis Planning Trends

If the United Airlines incident teaches us anything about risk management, it is Crisis Planning and Developing a Proactive Media Response must be operated in an interconnected fashion. I am sure most of you reading this blog will be aware of the event I am referring to without clicking the LINK supplied because you are plugged in, you are part of an interconnected self-directed propagated network of rapidly changing opinion. This digital opinion has the potential to carry reputational currency with a surplus or a deficit, just as United Airlines discovered. Social media is a game changer because information (not data) quickly dissimilates across stakeholder communities while a situation is unfolding, this digital opinion can add to or take away from a specific risk event. If you want to see interconnection, then this is a great example of it !!!

ISO 31000 Integration

ISO 31000, the global risk standard has plenty to say on Integration (interpreted from interconnectedness) and ideas of interconnectedness feature in both the 2009 published guideline as well as the 2017 revision that has recently been made available to the practitioner community.

“Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.”

Principles 4.3.4 | ISO 31000:2009

“Risk management is an integral part of all organizational activities, including decision making. It is not a stand-alone activity that is separate from the activities and processes of the organization. Everyone in an organization has responsibility for managing risk. Risk management improves decision making at all levels.” ... Everyone becomes interconnected and unless they work in harmony, the overal risk management framework is going to be compromised.

Principles 4b | ISO / DIS 31000

Component Interconnectedness

I believe the interconnectedness concept ISO 31000 correctly makes mention to in its guidance should not only be applied to how the overall process of risk management is embedded into risk identification and decision-making efforts. Interconnectedness should also be considered introspectively in the risk management standard and across the entire people~process~system space!

In the diagram below we can see the various activity centres of ISO 31000, moving from establishing context through to risk treatment. These individual ISO 31000 functions feed each other with data, information or narratives and while they are relatively ineffective on their own, they become incredibly powerful when they are interconnected or combined in the right order with the right people.

Integrated Framework Elements | Causal Capital

From a system perspective, the Framework Elements (shown to the right of the diagram) also need to be integrated otherwise the overall risk management framework is compromised.

These Framework Elements, just like the ISO 31000 Risk Management Processes, may be individual activities for an enterprise-wide risk framework but they also act as data pools or tables in a final risk management IT solution. One of the key reasons why risk management fails comes down to how the Framework Elements are interconnected between individuals in the company and there are some risk managers I stumble across who have never even considered this network of interrelations. From the IT camp, there are also not enough developers with a solid grasp on risk management requirements. These IT developers also tend to drop the importance of interconnectedness between software interfaces and the people that use those solutions.

2 comments:

Martin, to me the interconnections are build in in the ISO 31000 principles, framework and process, where the principles are guiding mental models and the framework defines the architecture of risk management in the entire organisation. I think the misconception in many peoples heads is the distinction between risk management and risk assessment. Risk assessment is expert work, using expert tools likely done by expert risk managers. But this is not risk management. The interconnectedness comes from the managers that come just before and after the risk assessment when looking at the process structure. Managers have their objectives and they need to manage the uncertainties (both positive and negative effects) regarding these objectives. For this, they need to be fully aware of the context and they have to set the risk criteria. Specialists cab then assess (identify, analyse and evaluate) risks, where the manager then has to decide on the risk treatment, given the data obtained by the assessment. But the real interconnections are coming from the communication & consultation, as well as the monitor and review parts of the process, as these steps can involve any stakeholder, even external to the organisation. Who to connect with then depends on the objectives involved and the situation at hand. So from a systems perspective, the assessment is the smallest system, embedded in the larger system of the managers, which in its turn is embedded in the larger system of the stakeholders.4But this just my view on things, not only looking at the perspective of loss and loss prevention, but also looking at the perspective of profit and performance improvement. The same process can be used for both sides, connecting safety and performance in organisations.

Author

Martin Davies is a risk framework architect with strong domain knowledge across a diverse set of risk fraternities, a background in banking front-to-back and the ability to articulate business requirements into functional information technology concepts. He is focused on structured products for emerging markets and works with several tier one banks, regulators and brokerages across South East Asia.